14 DAY TRIAL // DLL file hijacking is not really news, but now another technique has been discovered by security annalists, cleverly masquerading itself alongside a text.
Commtouch Café reveals that the piece of malware they labeled as W32/Trojan2.NOXC took advantage of a Windows flaw that allowed for components to load external libraries in a certain way. Fortunately, a security update issued by Microsoft in September took care of the vulnerability and the malicious element has no way of operating.
So how did the infection occur?
An innocent looking DLL file was placed in a folder along with an also innocent looking document. While the document might have been legitimate, the DLL placed aside it certainly wasn't. Once the txt or rtf file was executed, the malicious library went into action.
The piece of malware created registries such as "%UserProfile%\Local Settings\UPS.exe" and "%UserProfile%\Local Settings\cisvc.exe" which then attempted to connect to a remote location using the 433 port.
In order for the attack to work, the files needed to be placed in a directory that contains the “{42071714-76D4-11D1-8B24-00A0C9068FF3}” string in its name.
By making use of the Display Panning CPL Extension named “deskpan.cpl”, which is normally related to the display settings of images that appear on the screen, the malevolent “deskpan.dll” was also launched.
If you already applied the Microsoft update you should be safe, but because the patch is fairly new, make sure your operating system is up to date, otherwise the virus may roam freely on the device.
Also be on the lookout for suspicious looking folders, as even if they contain elements that seem to be simple documents or pictures, they might also embed elements you don't want running loose.
This comes to show that malware doesn't necessarily come in the form of an exe, new methods and techniques making it possible for harmless images, MS docs and even PDFs to hide something nasty.